PT-2019-9169 · Glot · Glot-Www+1
Iansmith123
·
Published
2019-06-21
·
Updated
2022-05-24
·
CVE-2018-15747
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
glot-www versions through 2018-05-19
Description
The default configuration of glot-www allows remote attackers to execute arbitrary code because glot-code-runner supports
os.system within a "python" "files" "content" JSON file.Recommendations
For glot-www versions through 2018-05-19, consider disabling the
os.system function within the glot-code-runner to prevent remote code execution until a patch is available. Restrict access to the "python" "files" "content" JSON file to minimize the risk of exploitation.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Glot-Code-Runner
Glot-Www